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/ Amendmettts to the Soceification 

Please replace tjfe paragraph on Page 1 , lines 5-8 with the foUowing maifced-up replacement 



-- The present invention is related to U. S. Patent (serial number 09/_^ :^ 

titled mimlw 09/613.9831 titled "Technique for Synchronizing Security Credentials from a 
Master Directory, Platftinn, or Rc^stty", which is commonly assigned to the International 
Business Machines Corporation and which was filed concuircntty hetwvith on [LJ—O] J^^vll. 



2000. 



/ 

PJease replace the paragraph on Page 15, lines 6-7 with the following naaxked-up replacement 

paragraph: 

- Figure 4 depicts a flow chart which sets forth a preferred embodiment of the logic 
involved in implementing the scenario illustrated in Figure [[4]] 1; ■- 



Please replace the pa^igraph on Page 25, lines 1-14 with the following marked-up replacement 
paragraph: 



" The logic with which this process operates is depicted in HKM^det^ At 401, 

the user initiates the synchronization process by connecting to the synchronization agent. The 
agent then prompts the user (402) to entCT Ws/her security credentials. The user provides those 
credentials (403X and the agent then performs the validation by coimnunicatiBg with the master 
registry (404). A test is made to determine whether the validation was successful (405); if not, an 
error is preferably reported to the user (409), The user may be given another chance to re-enter 
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the credentials, if desired (not shown in Fig. 4); preferably, a relatively low upper limit is m:5)osed 
on the niitnber of times the user is altewed to retry the operation, in order to prevent security 
exposures such as hrute force attacks. When the validation was successful, the password 
synchronization policy is interrogated (406) to see if this user*s credentials are to be propagated 
to one or more other registries. If so, then the credentials which the user entered at [[402]] 403 
are forwarded to those target registries (408). A message is preferably provided to the user (409) 
indicating that the propagation has occurred, or that there were no propagation targets registered- 
The processing ofFig, 4 then ends. -- 



Please replace the ^ragraph that begins on Page 26, line 5 and carries over to Page 27, line 14 
with the following marked-up replacement paragraph: 

As shown in F^. 5, the user connects 501 to the password synchronization agent 
[[520]] 510 using a web browser, telnet client, or other similar client program 500. As in the first 
preferred embodacnent described above, this connection between the user client and the password 
synchronization ^ent should be encrypted and the password synchronization agent should be 
authenticated to the clieaat, using SSL or similar means. The user's ID and password (or other 
secret identifying information) arc sent to the password synchronization agent over this secure 
connection. The user may also e3q>licitly specify the authenticating domain (meaning a trusted 
target registry [[540]] 52fi to be used m authralicating the user) as part of this transmission, or 
trust policies within the master registry [[530]] 520 may identify that trusted registry [[540]] 530 . 
The password synchronization agent then connects to the master registry to look up the trust and 
password synchronization policies (502, 503). As described for the first preferred embodiment. 

Serial No. 09/614,087 -3- Docket RSW9-2000-0074-US1 



PAGE 5/24*RCVDAT5f5/20041:17:54PM [Eastern DayDghtTI^^^ 



05/06/2004 01:17 40734 




PAGE 06 



these may be specified on a per-user basis, or for the entire master registry, or for subsets of the 
entries in the master registry. The password synchronization agent looks in the master registry for 
a trust policy that applies to tihe current user. If: (a) such a policy is found, and (b) it indicates 
that the authenticating domain indicated by the user is a trusted registry for that user's entry in the 
master registry, or (c) the user did not specify the authentication domain but the policy does, then 
the password synchronization agent autbenticales the us^ with the trusted registiy (504, 505). LF 
this authentication succeeds, the password synchronization agent updates 506 the user's password 
(or other secret security credential) in the master registry. It then reports 507 the resuks to the 
user. The user's password or security credential may then be updated in other target registries, 
either by the password synchronization ag?nt itself or by the update process of a meta-directory 
connector of the type which has been previously described (508, 509). In the preferred 
embodiment, the password synchronization agent must be configured with an administrative 
identity and conesponding authentication credential for the master registry, and if the password 
synchronization agent itself performs password updates for target registries, it must be configured 
with an admtnistrathre identity and corresponding authentication credential for these as well All 
connections between the password synchrotnzation agent and the master, trusted, and target 
registries should be protected by encryption and by an authentication process for each target 
sender, via SSL or similar means. - 
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